Application and platform security

Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.

Top Stories

Tip 01 Jun 2023
Low-code/no-code use cases for security

Low-code/no-code development approaches have their fair share of security issues, but that doesn't mean they can't be used to benefit the security industry, too. Continue Reading
News 01 Jun 2023
Mitiga warns free Google Drive license lacks logging visibility

The ability to view logs is critical for enterprises to detect and attribute malicious activity. Mitiga said the Google Drive issue allows data exfiltration without a trace. Continue Reading

News 23 Mar 2017

DV certificates abused, but policing may not be possible

Research shows DV certificates can be a prime target for phishing and malware operators, but experts are unsure how certificate authorities should deal with the issue. Continue Reading
News 17 Mar 2017

Yahoo fallout: Minted authentication cookies raise concerns

Although minting authentication cookies is not widely understood, the Yahoo hacker indictments has brought it to the forefront and shown it can be very dangerous. Continue Reading
News 14 Mar 2017

Nine critical Windows security bulletins in Patch Tuesday

After its cancelled February Patch Tuesday, Microsoft's March 2017 Patch Tuesday includes nine critical Windows security bulletins targeting remote code execution flaws. Continue Reading
News 14 Mar 2017

Android ransomware and more pre-installed on devices

Security researchers found Android ransomware and malware pre-installed on popular devices, putting users at risk for information theft, tracking and more. Continue Reading
Answer 08 Mar 2017

How can attacks bypass ASLR protection on Intel chips?

An Intel chip flaw lets attackers bypass ASLR protection on most operating systems. Expert Michael Cobb explains the vulnerability and how to prevent attacks. Continue Reading
News 06 Mar 2017

FBI chooses to protect Tor vulnerability and dismiss child porn case

The Department of Justice dropped a child pornography case in order to avoid disclosing a Tor vulnerability; dozens more cases potentially affected. Continue Reading
News 03 Mar 2017

Slack hack threatened to expose user account data and messages

News roundup: A researcher discovers a Slack hack through stolen tokens. Plus, another WordPress flaw puts 1 million users at risk; Necurs botnet does DDoS now; and more. Continue Reading
Answer 02 Mar 2017

What should enterprises know about how a stored XSS exploit works?

A stored XSS exploit can be damaging to enterprises that aren't fully protected. Expert Matthew Pascucci explains what stored XSS attacks are and how to defend against them. Continue Reading
News 28 Feb 2017

Edge and IE vulnerability disclosed by Project Zero

Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available. Continue Reading
News 24 Feb 2017

Project Zero discovers Cloudflare bug leaking sensitive customer data

The Cloudflare bug in CDN is fixed after causing sensitive customer data to leak. Google Project Zero discovered the flaw, and users were warned to change passwords. Continue Reading
News 21 Feb 2017

Google discloses Windows vulnerability after canceled Patch Tuesday

Google Project Zero discloses a Windows vulnerability that passed the 90-day deadline. And it comes soon after Microsoft canceled its Patch Tuesday release. Continue Reading
News 17 Feb 2017

Microsoft Patch Tuesday February release delayed by a month

News roundup: Microsoft Patch Tuesday was canceled in February without a clear reason. Plus, APT28 is linked to new Mac malware; Lazarus targets more banks and more. Continue Reading
News 10 Feb 2017

Is the Ticketbleed flaw the new Heartbleed vulnerability?

News roundup: F5 virtual server flaw, dubbed Ticketbleed, is similar to Heartbleed. Plus, DHS is considering requiring social media passwords on visa applications, and more. Continue Reading
Podcast 08 Feb 2017

Risk & Repeat: Pentagon cybersecurity under fire

In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Pentagon cybersecurity amid reports of misconfigured servers at the U.S. Department of Defense. Continue Reading
Tip 07 Feb 2017

How Windows hardening techniques can improve Windows 10

Windows 10 may be the most secure Windows ever, but expert Ed Tittel explains how to use Windows hardening techniques to make systems even more secure. Continue Reading
News 07 Feb 2017

SQL Slammer worm makes a comeback 14 years later

The SQL Slammer worm returned to take down systems that have been left unpatched for the past 14 years, but experts are unsure if the attacks will continue. Continue Reading
News 03 Feb 2017

Microsoft delays Windows zero-day patch; researcher drops exploit code

Microsoft decided to delay a Windows zero-day patch by two months, prompting the researcher who found it to post the proof-of-concept exploit code. Continue Reading
News 26 Jan 2017

More than 200 vulnerabilities found in Trend Micro security products

Researchers uncovered more than 200 vulnerabilities across Trend Micro products, but experts said the company brand won't take a hit. Continue Reading
Podcast 25 Jan 2017

Risk & Repeat: Windows SMB warning raises questions, concerns

In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the Shadow Brokers' alleged exploit for Windows SMB and what it means for both enterprises and Microsoft. Continue Reading
News 25 Jan 2017

Project Zero finds Cisco WebEx vulnerability in browser extensions

A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack. Continue Reading
News 19 Jan 2017

Windows 10 security tackles exploits, while Windows 7 gets a warning

As Microsoft touted its Windows 10 security features defeating unpatched zero-day vulnerabilities, it also warned customers about security issues with Windows 7. Continue Reading
News 19 Jan 2017

US-CERT reminds users that Windows SMB v1 needs to die

Experts say US-CERT is taking advantage of a potential -- but unverified -- vulnerability in Windows SMB v1 to remind enterprise users the outdated service should be disabled. Continue Reading
News 10 Jan 2017

January Patch Tuesday sparse before Windows security updates change

Microsoft offers up a meager January 2017 Patch Tuesday release before bigger changes planned for Windows security update announcements, which are set to take effect in February. Continue Reading
News 04 Jan 2017

SSL certificate validation flaw discovered in Kaspersky AV software

Google Project Zero discovers more antivirus vulnerabilities. This time, the issues are with how Kaspersky Lab handles SSL certificate validation and CA root certificates. Continue Reading
Answer 04 Jan 2017

How does a Linux vulnerability allow attacks on TCP communications?

A Linux vulnerability that affects 80% of Android devices allows for attacks on TCP communications and remote code execution. Expert Michael Cobb explains how to mitigate these risks. Continue Reading
News 03 Jan 2017

Decades-old bug in the libpng open source graphics library patched

A low-severity vulnerability dating back to 1995 in libpng, the official reference library implementation for PNG, may have enabled remote DoS attacks. Continue Reading
Feature 30 Dec 2016

Hacking Web Intelligence

In this excerpt from chapter 8 of Hacking Web Intelligence, authors Sudhanshu Chauhan and Nutan Panda discuss how to be anonymous on the internet using proxy. Continue Reading
News 16 Dec 2016

Vulnerable websites make up half of the internet's top sites

News roundup: A report finds nearly half the internet is filled with vulnerable websites. Plus, SWIFT confirms more hacks, Amit Yoran steps down from RSA and more. Continue Reading
Feature 29 Nov 2016

DNS Security: Defending the Domain Name System

In this excerpt from chapter two of DNS Security: Defending the Domain Name System, authors Allan Liska and Geoffrey Stowe discuss why DNS security is important. Continue Reading
Tip 02 Sep 2016

Planning for an IPv6 attack: DDoS, neighbor discovery threats and more

An IPv6 DDoS attacks are imminent, and your network security tools may not be configured for it. Expert Michael Cobb explains how enterprises can prepare its defenses. Continue Reading
Feature 25 Jul 2016

How to start building an enterprise application security program

Building an effective application security program can be daunting. Sean Martin talks with experts about the best first steps enterprises should take. Continue Reading
Blog Post 21 Jul 2016

Environment variables: Should they be considered harmful?

In the wake of the httpoxy vulnerability, should environment variables be considered harmful? Perhaps, but they are just so useful. Continue Reading
News 26 May 2016

Retiring obsolete SHA-1 and RC4 cryptographic algorithms, SSLv3 protocol

Microsoft speeds deprecation of SHA-1, Google dropping support for RC4, SSLv3, as web software publishers approach end of life for obsolete cryptographic algorithms and protocols. Continue Reading
News 06 May 2016

Commercial code riddled with open source vulnerabilities

Roundup: Customers, vendors both unaware of unpatched open source vulnerabilities in commercial software. Plus OpenSSL patches, warrantless wiretaps and more. Continue Reading
Answer 21 Apr 2016

How does the banking Trojan Dyreza exploit Windows 10?

A variant of banking Trojan Dyreza has begun to target Windows 10. Expert Nick Lewis explains the new attack functionalities, and Windows 10 and user vulnerabilities. Continue Reading
Tip 21 Apr 2016

Breaking down the DROWN attack and SSLv2 vulnerability

A DROWN attack can occur through more than a third of all HTTPS connections. Expert Michael Cobb explains how DROWN enables man-in-the-middle attacks and mitigation steps to take. Continue Reading
Answer 01 Mar 2016

Outdated apps: What are the best ways to address them?

Dead and outdated apps can pose serious security risks for enterprises. Expert Nick Lewis explains how to find and remove dead apps before they become a problem. Continue Reading
News 29 Jan 2016

OpenSSL patch fixes encryption flaw and strengthens Logjam defense

A new OpenSSL patch fixes a severe encryption flaw and strengthens the protocol against the Logjam vulnerability. Continue Reading
News 28 Jan 2016

Oracle closing an attack vector by deprecating the Java browser plug-in

Oracle announced plans to deprecate the Java browser plug-in, a noted attack vector, though the choice was not entirely its own. Continue Reading
Tip 11 Jan 2016

Microsoft Device Guard tackles Windows 10 malware

A new Microsoft security feature takes aim at Windows 10 malware. Expert Michael Cobb explains what enterprises should know about Device Guard. Continue Reading
Answer 30 Dec 2015

Should the RC4 cipher still be used in enterprises?

A newly discovered attack can break the RC4 cipher and decrypt user cookies. Expert Michael Cobb explains the attack and the relevance of RC4 in enterprises today. Continue Reading
Answer 28 Dec 2015

How can software transplants fix bad code?

Copying and pasting bad code into an application is a big problem for developers, but software transplants can help. Expert Michael Cobb explains the technology. Continue Reading
Answer 16 Nov 2015

Can Google's Chrome extension policy improve Web security?

The updated Chrome extension policy allows users and developers to only install extensions from the Chrome Web Store. Learn how this affects security and enterprise apps. Continue Reading
Feature 04 Nov 2015

Comparing the top Web fraud detection systems

Expert Ed Tittel explores the features of the top Web fraud detection systems and compares critical purchasing criteria. Continue Reading
Answer 14 Oct 2015

How should enterprises manage social media compliance incidents?

Social media compliance incidents in financial institutions are on the rise. Here are the most common violations and how to avoid them in the future. Continue Reading
Tip 06 Oct 2015

How to perform a forensic acquisition of a virtual machine disk

Virtualization expert Paul Henry provides a step-by-step guide to imaging a virtual machine disk (*flat.vmdk) in a forensically sound manner. Continue Reading
Opinion 05 Oct 2015

Can white-box cryptography save your apps?

With the Internet of Things, software-based secure elements could hold the key. Continue Reading
Opinion 01 Oct 2015

McGraw: Seven myths of software security best practices

According to expert Gary McGraw, you're not helping yourself by believing the things -- all seven of them -- you've heard about secure software development. Continue Reading
Feature 15 Sep 2015

Comparing the best Web application firewalls in the industry

Expert Brad Causey compares the best Web application firewalls on the market across three types of product types: cloud, integrated and appliance. Continue Reading
Answer 09 Sep 2015

Should the Netdump flaw deter enterprise ODL SDN use?

The benefits of the ODL SDN platform are promising, but what about the recent Netdump flaw it experienced? Expert Kevin Beaver discusses why you may not want to pass on OpenDayligh just yet. Continue Reading
Feature 20 Aug 2015

Introduction to Web fraud detection systems

Expert Ed Tittel explores the purpose of Web fraud detection systems and services, which are designed to reduce the risks inherent in electronic payments and e-commerce. Continue Reading
News 20 May 2015

Google changes Chrome extension policy amid security concerns

Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store. Continue Reading
News 07 May 2015

Malware detection tool tackles medical device security

WattsUpDoc, an embedded system security tool used to detect malware in medical devices, is now in beta testing at two major U.S. hospitals. Continue Reading
Feature 17 Mar 2015

Four questions to ask before buying a Web application firewall

Web application firewalls are complex products. Expert Brad Causey explains the key criteria enterprises need to consider before investing in a WAF product. Continue Reading
Feature 19 Feb 2015

Business-use scenarios for a Web application firewall deployment

Web application firewalls can be a critical security layer for many companies. Expert Brad Causey explains when and how to deploy a WAF in the enterprise. Continue Reading
Feature 17 Feb 2015

Introduction to Web application firewalls in the enterprise

Expert Brad Causey takes a close look at Web application firewalls, explains how WAF technology can prevent Internet-based attacks from known and unknown applications threats, and offers advice on WAF management and deployment. Continue Reading
Feature 15 Dec 2014

The Basics of Information Security

In this excerpt of The Basics of Information Security, author Jason Andress outlines methods for improving operating systems security. Continue Reading
Answer 01 Dec 2014

Can setting a cache-control header improve application data security?

Application security expert Michael Cobb reviews the cache-control header codes that can help prevent a Web application from storing sensitive data. Continue Reading
Answer 01 Dec 2014

Are LibreSSL and BoringSSL safe OpenSSL alternatives?

Since the revelation of the Heartbleed flaw, OpenSSL security has been put into question. Expert Michael Cobb discusses whether LibreSSL and BoringSSL could serve as OpenSSL alternatives. Continue Reading
Answer 19 Nov 2014

How can vishing attacks be prevented?

Enterprise threats expert Nick Lewis explains what vishing attacks are and offers best practices for defending against them. Continue Reading
Feature 29 Sep 2014

Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides

In this excerpt of Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides, the authors explain how to discover and extract malware from a Linux system. Continue Reading
Feature 21 Apr 2014

Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace

This is an excerpt from the book Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace by Todd G. Shipley and Art Bowker. Continue Reading
Feature 31 Mar 2014

Linux Malware Incident Response

In this excerpt from Linux Malware Incident Response, authors Cameron Malin, Eoghan Casey and James Aquilina discuss volatile data collection methodology, steps and preservation. Continue Reading
Feature 17 Mar 2014

Social Media Security

In this excerpt from Social Media Security, author Michael Cross offers a number of strategies to help ensure social media security. Continue Reading
Feature 03 Feb 2014

Tor networks: Stop employees from touring the deep Web

Are employees using Tor to view blocked Web sites, or mining Bitcoins on corporate resources? Sinister or not, it needs to stop. Continue Reading
Answer 12 Mar 2013

Bing security: Is search engine poisoning a problem for Bing users?

Is Microsoft's Bing search engine more susceptible to search engine poisoning than Google? Expert Michael Cobb discusses Bing security. Continue Reading
Quiz 18 Jan 2013

Quiz: Why SSL certificate security matters

In this five-question quiz, evaluate your knowledge of our Security School lesson on why SSL certificate security is important. Continue Reading
Opinion 17 Jan 2013

Thirteen principles to ensure enterprise system security

Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades. Continue Reading
Answer 31 Aug 2011

How to mitigate the risk of a TOCTTOU attack

Are TOCTTOU attacks, exploiting time-of-check-to-time-of-use race conditions, a threat to your enterprise file systems? Expert Michael Cobb discusses the dangers and how to mitigate them. Continue Reading
Tip 11 Mar 2011

Securing a multi-tenant environment

Learn some of the key elements for secure multi-tenancy. Continue Reading
Tip 03 Feb 2011

The hypervisor security patch management process

Enterprises using virtualization must include hypervisor patching in their patch management process. Robbie Higgins explains why. Continue Reading
Tip 30 Jul 2010

How to avoid attacks that exploit a Web browser vulnerability

Beyond patching, Tom Chmielarski explains what you'll need to do to avoid application exploits caused by Web browser vulnerabilities. Continue Reading
Answer 05 Jul 2010

Why it's important to turn on DEP and ASLR Windows security features

In the quest for application security, many developers are disabling or incorrectly implementing two important Windows security features. In this expert response, Michael Cobb explains why ASLR and DEP should always be turned on. Continue Reading
Tip 30 Mar 2010

Using Windows software restriction policies to stop executable code

Software restriction policies are one way to prevent known malware and file-sharing applications from taking control of your network. Continue Reading
Quiz 19 Nov 2009

Quiz: How to build secure applications

Use this five-question quiz to test your knowledge of how to secure your enterprise apps. Continue Reading
Tip 03 Nov 2009

Security benefits of virtual desktop infrastructures

In a highly regulated industry where security is critical, financial-services firms are turning to virtual desktop infrastructures. In this tip, Eric Ogren explains the security benefits of virtualized desktops and virtual workspace projects, including malware-resistant software configurations and enhanced data loss prevention. Continue Reading
Tip 23 Sep 2009

Determine your Microsoft Windows patch level

A handful of patch management tools from Microsoft and third -parties can help your organization determine your Windows patch level and identify missing security patches. Continue Reading
Answer 22 Sep 2009

How to prevent ActiveX security risks

Application expert Michael Cobb explains why ActiveX security relies entirely on human judgment. Continue Reading
Tip 18 Jun 2009

When BIOS updates become malware attacks

Most security pros don't give the system BIOS a second thought, or even a first one, but today's BIOS types are highly susceptible to malicious hackers. Information security threats expert Sherri Davidoff explains how attackers can plant BIOS malware and how security pros can thwart such attacks. Continue Reading
Tip 02 Mar 2009

How many firewalls do you need?

Whether your organizations needs multiple sets of firewalls depends on whether they will protect clients, servers or both and what kind of traffic they will monitor. Continue Reading
Answer 11 Feb 2009

How does a Web server model differ from an application server model?

A Web server model and an application server model share many similarities but require different defense methods. Each model, for example, calls for distinct placement of application servers. Continue Reading
Answer 14 Oct 2008

What are the basics of a Web browser exploit?

John Strand explains how attackers target a flaw in either the browser or in an application that the browser calls to process a Web request. Continue Reading
Tip 19 May 2008

Ophcrack: Password cracking made easy

Scott Sidel examines the open source security tool Ophcrack, a password cracking tool aimed at ensuring the strength of corporate passwords. Continue Reading
Answer 11 Feb 2008

What software development practices prevent input validation attacks?

Improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection and command injection. In this expert Q&A, Michael Cobb reviews the most important application development practices. Continue Reading
Tip 17 Jan 2008

Developing a patch management policy for third-party applications

Enterprises may push the latest critical Windows patches once a month, but here's a dirty little secret: Most organizations don't bother patching their third-party applications. The diversity of client-side software -- including everything from Acrobat Reader to iTunes -- complicates matters, but security professionals shouldn't lose hope. Effective patch management for third-party products is possible, and contributor Ed Skoudis has the tools to do it. Continue Reading
Tip 11 Oct 2007

Preparing for uniform resource identifier (URI) exploits

URIs have always been a user-friendly way to recognize and access Web resources. By crafting malicious URLs and manipulating protocol handlers, however, attackers have devised new attacks that take advantage of the URI's locator functionality. Web security expert Michael Cobb explains how the identifier exploits may start a fresh round of problems for developers and users alike. Continue Reading
Answer 31 May 2007

What are the drawbacks to application firewalls?

Application-layer firewalls examine ingoing and outgoing traffic more carefully than traditional packet-filtering firewalls, so why are some holding back on deployment? In this SearchSecurity.com Q&A, Michael Cobb reveals some cost and performance issues. Continue Reading
Answer 24 Apr 2007

What is an Nmap Maimon scan?

Systems are often designed to hide out on a network. In this SearchSecurity.com Q&A, network security expert Mike Chapple explains how Nmap Maimon scans can get a response out of them. Continue Reading
Answer 17 Jan 2007

Will two different operating systems cause administrative problems?

Using two different operating systems can often boost a company's security, but there are practical limitations to the enterprise practice. In this expert Q&A, Michael Cobb reveals how separate platforms can lead to deployment issues and higher development costs. Continue Reading
Quiz 19 Jan 2006

Web application threats and vulnerabilities quiz answers

Continue Reading
Tip 15 Nov 2004

How to patch vulnerabilities and keep them sealed

Learn how to simplify the patch deployment process and employ methods that will reduce vulnerabilities. Continue Reading